cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

F5 Load balancer troubleshooting for SAP Work Manager

Former Member

on ‎06-20-2014 2:49 AM

0 Kudos

Hi,

  We are setting up F5 load balancer for our UAT environment and facing the following issues

  The SMP version is 2.3 SP03 and Work Manager is V6 with LAM

1. The client has provided a certificate and chain certificate which in public certificate by Entrust for a URL that they want to use to access the work manager application

          e.g. URL : sapmobilem.workm.com

    DNS is configured for the above URL.

2. Using the above certificate and private key I have created the .pfx file which have used in the work manager deployment bundle and the entries for the same are done in the Agentry.ini file.

3. Also I have installed the chain certificate on the server.

4.The application is running on the TCP on port 7003 and the server name is CLOSMSUPU.

5. The team doing the F5 changes has configured the following

          a. redirection to the above mentioned server using TCP and offloading SSL disabled.( tried with enable SSL offloading also)

          b.443 port is configure to accept the connection from the work manager application

6. When I am using the Work Manager application with server as the above FQDNs and port as 443 I am getting SSL Invalid Chain error.

7. There is no log item created on the UAT server where the work manager application is running. The event.log file has no entry for the attempt to connect.

Please let me know what could be the issue.

Tags edited by: Michael Appleby

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

amey_baisane
Participant
‎08-13-2014 9:32 AM
0 Kudos

Hi All,

I apologies for asking the question in the middle of the discussion.. Actually I am also working on environment where I need to setup/ configure the F5 load balancer in between SMP and SAP backend system.I have no idea on how to achive this,

what configuration/ setting I need to do in my SMP / SAP Control Center  if some one can provide a steps / guide or any link which help me to achive this then that will be really a great help.

I have already started the new discussion on the forum but didn't got much reply on that..

here is the link for the discussion link - http://scn.sap.com/thread/3599675

Thanks in Advance,

- Amey

Show replies
Show replies
bill_froelich
Product and Topic Expert
Product and Topic Expert
‎08-13-2014 12:54 PM
0 Kudos

Amey,

This question is dealing specifically with the load balancer between the client and SMP server (specifically for an Agentry application).  You are asking about a load balancer between the SMP server and SAP which will be a different setup and configuration.  You are also not using an Agentry application so this thread really doesn't apply.

I see you have already created a new thread for your question which is the right place to start.

Good luck!

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎06-20-2014 5:24 AM
0 Kudos

With SMP 2.3, Agentry is using the ANGEL protocol.  While the server is using SSL encryption it is not an standard protocol that can be proxied.  You need to configure the F5 for a TCP pass through configuration.

The SSL Invalid Chain error will occur because of one of two reasons.  The server name entered on the client does not exactly match the common name on the certificate in the .pfx file or the certificate authority that signed the certificiate is not trusted.  The second in particular may be an issue is there are intermediate authorities.

Have you tried using a port other than 443 on the F5.  The F5 may be expecting https traffic and in turn returning the certificate of the F5 rather than passing through the traffic to the SMP server.

In terms of a log entry I wouldn't be surprised if you don't see anything until it gets beyond the certificate check which is currently failing.

--Bill

Show replies
Show replies
Former Member
‎06-20-2014 5:23 AM
0 Kudos

It is not normally recommend to use port 443 because that is the Default HTTPs port. 

Can you confirm that you can connect with a client even from the machine itself?

Stephen

Show replies
Show replies
Former Member
‎06-20-2014 5:34 AM
0 Kudos

Thanks for the quick reply.

Yes i can connect to the server directly using FQHN and port 7003 but as expected I get the SSL Invalid chain error.

I will check if we setup other port instead of 443 and see.

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎06-20-2014 5:37 AM
0 Kudos

What client are you trying to use?

If windows (win32, WPF or ATE) you can setup the FQHN in the hosts file on the windows macine and specify the IP address of the server so that it will resolve locally instead of from the DNS server.  This will allow you to confirm the certificate setup on the SMP server.

--Bill

Former Member
‎06-20-2014 5:47 AM
0 Kudos

Thanks Bill for the reply.

I will check with Windows. Till now I was using iPad to connect the server using FQHN.

Ask a Question